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[1 1] Patent Numben 4^47,430 
[45] Date of Patent! Aug. 7, 199Q 

checking, blinding, and unblinding of undeniable signa- 
tures are disclosed. The validity of such signatures is 
based on public keys and they are formed by a agning 
party with access to a corresponding private key, much 
as with public key digital signatures. A difference is that 
whereas public key digital signatures can be checked by 
anyone using the corresponding public key, the validity 
of undeniable signatures is in general checked by a pro- 
tocol conducted between a checking party and the 
signing party. During such a protocol, the signing party 
may improperly try to deny the vahdity of a valid signa- 
ture, but the checking party will be able to detect this 
with substantially high probability. In case the signing 
party is not improperly performing the protocol, the 
checking party is further able to determine with high 
probability whether or not the signature validly corre- 
sponds to the intaided message and public key. Blind- 
ing can be used while obtaining undeniable signatures, 
while providing them to other parties, and while check- 
ing their validity. 

48 Claims, 6 Drawing Sheets 
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Figure 3 
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UNDENIABLE SIGNATURE SYSTTEMS 

BACKGROUND OF THE INVENTION 
L Fueld of the InvcntioD . 

This invention relates to cryptographic systexns, and 
more specifically to multiparty authentication systems 
like public key digital signatures. 

2. Description of Prior Art 

The concept of a **public key" is well known in the 
art To form such a key, a secret seed is first chosen, 
typically at random from some suitable distribution. 
This secret seed is then used as the input to a public key 
creating algorithm. The resulting public key need not 
be kept secret; because of the "one-way*' nature of the 
creating algorithm, deriving the secret seed from the 
public key is thought to be hifeasible. 

An often necessary aspect of public keys is their au- 
thenticity. There may be many users of a particular 
public key, and each must be ensured that they have its 
true value. If a bogus value were to be accepted as 
authentic by a particular user, then that user's security 
might be violated by the bogus key's creator. An exam- 
ple solution to this problem, which is often suggested, is 25 
to publish and widely distribute a directory of public 
keys. 

An important use of public keys is for public key 
digital signatures, which are called "digital signatures" 
here for clarity. The message to be signed by a digital 
signature is represented as a number. The digital signa- 
ture itself is also a number. It is formed from the mes- 
sage by a signing algorithm which uses a private key 
derived from the secret seed. A digital signature can be 
checked as corresponding to a particular message and 
public key combination, by applying a checking algo- 
rithm. Because the corresponding private key is 
thought to be needed in forming digital signatures, they 
are thought to be resistant to forgery. 

One inherent property of digital signatures is that 40 
they can be checked by anyone knowing the corre- 
sponding public key. Thus, if you were to give a digital 
signature to someone, then they could show it to any- 
one else. Not only would each person seeing the signa; 
ture be able to check it, but they could in turn supply.it 45 
to others, who could also check and distribute it. 
Whereas this might be an advantage in some applica- 
tions, it could be undesirable in others. For example, the 
issuer may wish to retain some monitorability or control 
over the showing of signatures. 30 

The first really practical digital signature system was 
disclosed by Rivest, Shamir and Adleman in *'A method 
for obtaining digital signatures and public-Key cryp- 
tosystems, "Communications of the ACM, Vol. 21, No. 
2, February 1978. This so called RSA system remains 55 
probably the best known and most widely used for 
digital signatures. One of its drawbacks, however, is 
that its public key creating algorithm requires quite a 
substantial amount of computation compared to that 
required to form its digital signatures. like most sue- 60 
cessful public key systems devised to date, RSA is 
partly based on the "discrete log" problem: all of its 
arithmetic is done in a finite group where given the 
representation of an element and a large power of that 
element, it is thought to be infeasible to discover what 65 
the power is. In essence, RSA and its cousins require 
that the order of the group be known only to the signer, 
which unposes a significant restriction on the group, 



30 



35 



making suitable groups difficult to fmd and also requir* 
ing a single group per signer. 

RSA does, however, allow blind signatures, as de- 
scribed in European Patent Publication 0139313, dated 
2/5/85, claiming priority on U.S. Ser. No. 524896, titled 
"Blind signature systems," by the present applicant 
These first disclosed blind signatures required computa- 
tion during blinding to anticipate all possible signature 
types. This amounted to more than a single multiply per 
signature type anticipated. The so caUed **unanticipated 
blind signatures" require only a fixed amount of compu- 
tation during blinding to anticipate an unlimited number 
of kinds of signatures that might potentially be applied 
by a signer. Such systems were described in European 
Patent Publication 0218305. dated 4/15/87, claiming 
priority on U.S. Ser. No. 784999, titled "Unanticipated 
blind signature systems," also by the present applicant. 
A remaining difficulty with the exemplary embodi- 
ments of both schemes, however, is that the signer must 
be fixed at the tune of blinding and cannot be changed, 
even for so called "re-blinding'*. 

The other widely accepted digital signature scheme 
was disclosed by ElGamal in "A public key cryptosys- 
tem and a signature scheme based on discrete loga- 
rithms," Advances in Cryptology: Proceedings of 
CRYPTO 84, G. R. Blakely and D. Chaum Eds., 
Springer- Verlag, 1985. Whereas it is also discrete-log 
based, it does not require that the order of the group be 
kept secret, but does require that the order be known to 
all signers using the same group. Its public key creation 
algorithm is essentially as fast as its signing algorithm, 
but blind signatures have not been constructed based on 
these HOamal signatures. 

OBJECTS OF THE INVENTION 

Accordingly, it is an object of the' present invention 
to provide a signatiire scheme that can require consent 
of the signer each time a signature is checked. 

Another object of the present invention is to allow 
public key creation algorithms having a computational 
requirement comparable to that of signing. 

A further object of the present invention is to allow a. 
kind of blind signature in which blinding does not have 
to anticipate the type of signature nor who the signer 
will be. 

Yet another object of the present invention is to allow 
signature schemes based on discrete log in groups for 
which nobody need know the order of the group, and 
for which there may be no harm if anyone learns it. 

Still another object of the present invention is to 
allow efficient, economical, and practical apparatus and 
methods fulfilling the other objects of the invention. 

Other objects, features, and aidvantages of the present 
invention will be appreciated when the present descrip- 
tion and appended claims are read in conjunction with 
the drawing figures. 

BRIEF DESCRIPTION OF THE DRAWING 
FIGURES 

FIG. 1 shows a fiowchart of a preferred embodiment 
of a combination public key creating and undeniable 
signature forming protocol in accordance with the 
teachings of the present invention. 

FIG. 2 shows a fiowchart of a preferred embodiment 
of a first exemplary undeniable signature checking pro- 
tocol in accordance with the teachings of the present 
invention. 
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FTO. 3 shows a flowchart of a preferred anbodiment dent]/ and aniformly from the interval 1 to p. The sign- 

of a second alternate exemplary undeniable signature er's response should be the result of raising the chal- 

checking protocol in accordance with the teachings of lenge to the power y, where y is the multiplicative 

the present invention. inverse of x modulo p. Thus the signer responds with 

FIG. 4 shows a flowchart of a preferred embodiment 5 m°g^, which V can readily construct for comparison. If 

of an exponential blinding and a corresponding re-blind- the comparands are equal, then V is believed to know 

ing protocol in accordance with the teachings of the that with probability I — p~ ^ the si^ature is valid, 

present invention. If the comparands are unequal, however, V may still 

FIO. 5 shows a flowchart of a preferred embodiment wish to know if the signature z is invalid or if S is trying 

of an unanticipated ' signature blinding and a corrc- 10 to improperly deny it; so the protocol b repeated with 

sponding re-blmding protocol in accordance with the independently chosen c and d instead of a and b, respec* 

teachings of the present invention. lively. Then V uses the two responses n and ri to test 

FIG. 6 shows a combination block and functional whether (rig-*y=(r2g-*0". If the equaUty holds, it is 

diagram of an exemplary unanticipated signature system believed that S is answering consistently and that z is 

including blinding for signatures and challenges and IS not a valid signature, with the same high probability as 
also re-blindingi all in accordance with the teachings of for signature validity; otherwise, S is answering improp- 

the present invention. exly, 

BRIEF SUMMARY OF THE INVENTION GENERAL DESCRIPTION 

In accordance with these and other objects of the 20 Turning now to FIG. 6, general descriptions of the 
present invention, a brief summary of an exemplary intercx>nection and cooperation of the constituent parts 
embodiment will now be presented. Some simplifica- of some exemplary embodiments of the present inven- 
tions and omissions may be made in this brief summary, tion will first be presented. 

which is intended only to highlight and introduce some The signing party 601 includes two transformations, 

aspects of the invention, but not to limit its scope. De- 25 signer 602 and responder 603, both of which depend on 

tailed descriptions of preferred exemplary embodiments the secret seed value created by random generator 604. 

adequate to allow those of ordinary skill in the art to The initial output of a public key message (message [10] 

make and use the inventive concepts are provided later. in FIO. 1, to be described) is not shown here for clarity 

An undeniable signature is verified by a crypto- and also because in some embodiments, like the pre- 
graphic protocol conducted between the checker and 30 fenred embodiments to be presented, a distinguished 

the signer. In overview, the protocol of the exemplary public key is not needed, since any undeniable signature 

embodiments consist of a challenge number formed by (together with its corresponding unsigned message) can 

the checker and given to the signer, followed by a re- serve as such a public key, as will be obvious those of 

sponse number returned by the signer. After the ex- ordinary skill in the art. 

change of this challenge and response, the checker per- 35 When the provider 605 provides an original message 

forms a checking procedure. The inputs to the proce- for signing, it may first optionally be blinded by blinder 

dure are the response from the signer as well as the 606, which depends on random generator 607, before 

suitably-chosen random values used by the checker in being input to signer 602, already mentioned. The 

forming the challenge. If the procedure's result is posi- signed output of signer 602 is then input to optional 

tive, then the checker has high certainty that the signa- 40 unblinder 608, which also depends on random generator 

ture is valid, and consequently the verificatidn of the 607. and which is used only when optional blinder 606 

signatiire can be regarded as completed. has been used. The output of unblinder 608 is then re- 

If, on the other hand, the procedure's result is nega- turned to provider 605. 
tive, the checker may wish to distinguish between two Optionally, both the signed and unsigned message are 
cases: (a) the signature is not valid; or (b) the signer is 45 individually blinded by blinder 609, depending on ran- 
responding improperly to challenges, presumably in an dom source 610, before they are provided as input to a 
effort to falsely deny a valid signature. The checker can part of checking party 611 which is shown as challenger 
learn which of the two cases applies — in spite of the 612. Challenger 612 is dependent on random generator 
signer's efforts to mislead the checker — by a further 613, also shown as part of checking part 611, and pro- 
round of challenge and response. The second challenge 50 vides its challenge message(s) optionally to blinder 614, 
and response can be formed in the same way as the first which depends on random source 615. The output of 
ones were, but both sets of independent random choices the optional blinder 614 is input to responder 603, which 
and both responses allow the checker's second proce- depoids on random source 604 as already mentioned, 
dure to determine which case above, (a) or (b), holds. and responder 603 provides its output to unblinder 616, 
The pair of challenges and corresponding responses 55 which is used only when blinder 614 has been used and 
may be thought of as in effect allowing the checker to also depends on the random source 615. Then unblinder 
learn whether the signer is answering consistently or 616 provides its output to tester 617, a final part of 
not checking party 611, responsive to random source 613 

A simple exan^le of these protocols and the checking already mentioned and to challenger 612, and which 

procedures will now be described based on the multiplt- 60 produces the final three valued output (indicating 

cative group having prime order p, with primitive ele- whether the undeniable signature is valid, the signamre 

ment g, both of which could be used by every signer. is invalid, or the response is improper). 

^The fact that the order of the group is prime and public The relation of the parts of FIG. 6, just described, to 

is used in this simple embodiment, but arc not necessary those of FIG. 1 through FIG. 5, which are to be de- 

in general). Consider a particular signer S, checker V, 65 scribed in detail later, wiU now be briefly described for 

message m, private key x, public key g', and signature z completeness. Signer 602 of signing party 601 is shown 

that should equal m'. The first challenge is of the form as box 103, and also as box 402 or 502 when optional 

z^g-^, where a and b are chosen by the signer indepen- blinding 606 is used. When blinding 402 or 502 are used. 
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thea unblinding 607 is ^own in box 403 and 503, re- scribed in detail later, FIGS. 1-5 also show parties as a 
spectively. The optional blinding of signed and un- collection of flowchart boxes forming a vertical col- 
signed messages beifore they are used in the protocols of . umn. The term "part/* is used herein to indicate an 
FIG. 2 or FIG. 3 is shown as performed by binder 609. entity with control over at least the secrecy of some 
This binder produces a blinded and unbUnded message 5 mfonnation. usually at least one key. It is anticipated 
pair, as already mentioned, which is shown in box 404 that a plurality of people may each know all or part of 
and 504* dependmg on wether the blinding of FIG. 4 or some key, and they might be thought of collectively as 
that of nG. 5 is used, respectively. The challenger 613 a party. In other casjes, a key may be substantially un- 
and tester 617, both dep^ding on random source 613 as known to people, and reside in some physical device, 
mentioned, are both either of the type shown in FIG. 2 10 and the the device itself or those who control it from 
or that shown m FIG. 3, In the case of FIG. 2, chal- time to tune may be regarded as parties. Thus the parties 
lenger 612 is shown in both boxes 201 and 204; in the denoted by single boxes or collections of boxes might 
case of FIG. 3, it is in boxes 301 (supported by 303) and sometimes be regarded as agents who perform a step or 
306 (supported by box 308). Then one or more related a collection of steps in a protocol. They might also be 
challenges may optionally be blinded by blinder 614, 15 regarded as means for performing those steps and might 
which as mentioned is responsive to random source 615, be comprised of any suitable configuration of digital 
such blinding being as shown in box 401 or box 501. logic circuitry. For example, any box or collection of 
Then responder 603 trassforms each challenge, respon- boxes from the figures could be realized by hard-wired 
sive to the output of random source 604 already men- and dedicated combinatorial logic, or by some sort of 
tioned, using the same choice of FIG. 2 or FIG. 3 used 20 suitably programmed machine, a microprocessor for 
by the challenger 612 and tester 617 as already men- instance, such as are well known to those of skill in the 
tioned. For FIG. 2, the responses are shown formed in art, just so long as it is able to perform the storage, 
box 202 and 205; for FIG. 3 they are formed in boxes input/output and transformational steps (possibly apart 
302 combined with 304 and in 307 combined with 309. from the random source functions) described by the 
These responses are unblinded by optional unblinder 25 corresponding box or boxes. 

616, only when optional blinder 614 has been used as Random sources 604, 607, 610, 613, and 615 of FIG. 
mentioned. Finally, the tester 617, responsive to ran- 6 and the uses of the word "random" shown in FIGS, 
dom source 613 as mentioned, checks the responses 1-5 indicate the function of creating a value that should 
using the same choice of FIG. 2 or FIG. 3 as described not be readily determined by at least one party. Many 
previously for challenger 612 and responder 603. For 30 means and methods are known m the art for generating 
FIG. 2, the checking is shown spanning boxes 203 and such unpredictable quantities, often called keys. Some 
206; for FIG. 3, it is shown in boxes 305 and 310. The are based on physical phenomena, such as noise in semi- 
results of these tests determine the output of the tester conductors, or patterns detected in humans pushing 

617. buttons, or possibly deterministic cryptographic tech- 
As will be appreciated, the blinding of blinder 606 35 niques sometimes called pseudorandom generators. It is 

and its corresponding unblinding by blinder 608 will be well known La the art that these various techniques can 

used or not used as a whol^ similarly for that of 614 and often be combined, and that post-processing can often 

616; and the blinding of the signed and unsigned mes- improve the results. 

sage pairs by blmder 609 may be omitted or kept in its Again referring to FIG. 6, the function of some con- 
entirety. When the such optional blmding and possibly 40 stituent parts is continued. 

unbUnding is omitted, the blinding and unblinding oper- Signer 602, one transformation of signing party 601 
ations shown are transparent and just pass their inputs already mentioned, is any transformation that is be- 
through without change to their outputs, as might also lieved at least not readily performed without the private 
happen if certain values are produced by the random key output of random source 604 and which cooperates 
sources involved. 45 with the challenge, response, and testing to be de- 
General descriptions of the functions of some constit- scribed. Naturally, as a kind of signature, the signer's 
uent parts in accordance with the teachings of the pres- output should be resistant to forgery by those without 
ent invention will now be presented. the signer's private key. 

Hrst it should be mentioned that all the lines in FIGS. Provider 605 is a source of original messages to be 
1-6 imply the transfer of messages. These may be held 50 signed. Its particular nature is not essential to the inven- 
initially or delayed on their way, encoded and decoded don, and any way to obtain messages for which undeni- 
cryptographically or otherwise to provide their authen- able signatures will be made is suitable. Examples of 
ticity and/or secrecy and/or error detection and/or messages requiring signatures known in the art include 
error recovery. Thus the particular means or methods agreements, numbers with redundancy properties that 
whereby messages are transferred are not essential to 55 encode value, blinded forms of digital pseudonyms, any 
the present invention, and it is anticipated that any tech- sort of messages transferred between parties, etc. 
nique may be employed in this regard. The lines may for Blinder 606 cooperates with unblinder 608 and de- 
example be taken to represent communication means, in rives its blinding key from random source 607. The 
which case they might be realized in a variety of exem- blinding and unblinding function performed is to hide 
plary ways including as conductive paths, fibre optic 60 some message issued by the provider 605 by at least 
linlcs, or paths through a packet switched network; also making it substantially unrecognizable to signer 602, 
suitable drivers, modems, or other appropriate inter- and then to recover from the signature retimied by 
faces may be required at the ends of such tines, as are signer 602 what would have been the signature had the 
well known in the art Alternatively, the lines may be signer signed the original message. Furthermore, blind- 
taken to stand for a message transfer step. 65 ing, as is well known in the art and disclosed more fully 
In FIG. 6, signing party 601 and checking part 611 in the reference cited in the background of the inven- 
are each shown as a collection of parts including two tion, makes it substantially infeasible for the set of 
transformations and a random source. As will be de- blinded messages to be linked to the set of unblinded 
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messages. Of course it is the signer's lack of knowledge party from learning the actual messages issued and re- 

about the particular outputs of the random source ceiv«i by the other party. 

which IS believed to make it substantially impossible, in Tester 617, responsive to random source 613 and 
the preferred embodiments, for the signer to link. This challenger 612, tests the responses to the challenges in a 
blinder 606, as well as the two other blinders 609 and 5 way that allows it to distinguish between three cases: (a) 
614 may use for example the embodiments of FIG. 4 or the signed message vaUdly corresponds to the unsigned 
those of FIG. 5, and this may be mixed for the same or message, Cb) the signed message does not validly corre- 
for different original messages. spond to the signed message, and (c) the signer is re- 
Blinder 609 blinds, as described above, a pair of val- spondmg to the challenges improperly. These possibili- 
ues corresponding to a signed and unsigned form of a 10 ties are distinguished in FIG. 2 by the tests of boxes 203 
message. In this way, the pair can be tested, as will be and 206, and in FIG. 3 by those of boxes 305 and 310. 
described, without even the party performing the test Th^ ^^e output of the test may simply be an indication 
knowing what the actual message bearing the signature of which of the three cases a thought hkcly to hold. It 
is. Thus no corresponding unblindmg is needed, as the ^^^.^ be pomted out that the first box for each figure 
miblindcd form may be retained by the provider 605. By 1^ mt^tjoncd alone actually distmgmshes between case (a) 
issuing more than one pair of differenUy blinded forms the other two <^ taken together Thus it might be 
of the same input pair, so called "re^linding" as de- smtably ployed by the provider 
scribed in the unanticipated blind signature reference « detenmne whether « m fact vahd. The 
mavbe realized second box menaoned distinguishes between the re- 

L^ut ^^^*i^^^A «rt«,«wc;«r. « 20 maining two cases. It need not be used if the first test is 

Checkmg party 6U ^l^^'^^l^ positivt or when it is otherwise not needed to distin- 

key source as well as challenge creanon and response ^ ^ ^ ^ ^ ^ 

testing pa^ may, but need ^^^^^^^^^^^^ n^distingUh hciwLn cas^ (b) L^c) for 

provider 605 already described. (T^e checkmg party ^ of signatures, but it is anticipated that 

611 IS shown m FIGS. 2 and 3 as party V, which is the 3^,.^^ theVcould be distinguish^ is what 

same sym^lic name used for the provider and bhndmg ^ application viable, 

parties m FIGS. 1, 4, and 5, but such naming is only for ^^^^ j^^-^y ^ ^ ^^^^^ 

clanty and does not imply that these parties are neces- ^^^^ ^ -^^^^ ^.^^^ ^1 

sarily the same.) A signature may sometimes be venfied ^^^^ ^^^^ signatures authenticating its 

immediately by the provider who has requested It, or It 3^ responses to inputs. Such digital signatures are well 

may be verified later by some third party who received j^^^^ in the art, and would include both the input and 

it directly or indirectly and possibly in blinded form ^^e corresponding output, possibly all under a com- 

from the provider. The checking party performs a cryp- pressing one-way function or the like. When such a 

tographic protocol in effect with signing party 601, digital signature is shown to a third party, possibly 

although there may be intermediate blindmg and un- 33 ^Qj,g various random choices and messages 

blinding of messages by blinder 614 and unblinder 616 ^ construct the input, the third party is able to 

to be described, which might possibly be controlled by authenticate the digital signature and test the input and 

yet another party. While the exemplary enabodiments output as would have been done by tester 617, as would 

show some particular preferred patterns of interaction \^ obvious to those of skill in the art and will be de- 

between the checking party 611 and the responder 603, 40 scribed in detail for some examples later. Thus, such 
any suitable protocol accomplishinig the function of digital signatures might be obtained from the signing 

distinguishing the three cases described earlier would party and later provided to a third party so that the 

be appropriate. Furthermore, the preferred embodi- party need not interact with the signing party, 

ments break the challenge and response sequence down Thig might save a third party, who trusts the signing 

into several parts, all or any of which could be com- 45 party, from having to communicate with the signing 

bined (so long as for FIG. 3 the issue of the image under party m order to check an undeniable signature, 

the one-way function, messages [32] and [37], precedes The particular choice of the group imder which the 

the receipt of the values needed by the signing parties exemplary embodiments may operate is not essential to 

checking, messages (33) and [38], and this precedes the the mvention, however, for completeness various exem- 

release of the pre-image under the one-way function by 50 plary groups believed suitable will now be discussed 

the sigxung party, messages [34] and [39]). The chal- along with their representations and some relevant con- 

lenge is issued responsive, in the exemplary embodi- siderations. 

ments, to either the signed or unsigned form of the One general category of preferred exemplary em- 
message and to the key from random source 613. bodiment would use a group of prime order. Such a 

Blinder 614 optionally blinds the challenge(s), re- 55 group should preferably have a representation for 

sponsivc to random source 615, before it is received by which the already mentioned discrete log . problem is 

the signing party. believed difficult to solve in practice and for which the 

Responder 603 receives the possibly blinded challen- group operation and exponentiation are readily per- 
ge(s) and issues corresponding response(s). Any sort of formed. Several exemplary such groups are now de- 
response or sequence of responses cooperating with and 60 scribed. 

allowing the checking party to distinguish the three One class of suitable groups, the multiplicative 

cases would be sufficient In the preferred embodi- groups over GF(2") where 2"—! is prime, is quite well 

ments, these responses include exponentiation to pow- known in the art A survey of the literature on crypto- 

ers derived from private key source 604, as shown in graphic use of these and other suitable groups, entitled 

detail in FIGS. 2 and 3. 65 "Discrete logarithms in finite fields and their crypto- 

Unblinder 616, also responsive to key source 615. graphic significance, " was published by A. Odlyzko in 

unblinds the response. It cooperates with blinder 614 in the proceedings of Eurocrypt 84, T. Beth, N. Cot, and 

keeping at least one of the signing party or the checking I. Ingemarsson Eds., Springer 1985. 
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A second and third exemplary class of suitable groups way to accomplish this, suggested by M. O. Rabin in 
are defined based on the residue classes modiilo a suit- "Digitalized signatures and public-key functions as in- 
able large prime. It appears to be currently believed in tractable as factorization," which appeared as MTT 
the art that primes of sizes 2^^^ to 2'ooo for example may technical report MIT/LCS/TR-2 12. January 1979. is to 
provide security quite adequate for many applications in 5 in effect multiply the input number by a small power of 
practice, thon^ the present invention should m general 2 and randomly change the low-order bits zeroed and 
not be interpreted as limited to groups of any particular test for membership in the group. If the test fails, simply 
size, since it can be applied using groups of any size replace the low order bits with randomly chosen bits 
allowing the requisite computations to be performed. and repeat until success. Other applications may only 
Apparatus and methods for performing the group oper- 10 require that elements m the group can be created; for 
ation and exponentiation for such groups are by now these, the squaring of random values mentioned above 
well known in the art and available firom several ven- would be suifident. HnaBy. participants should test 
dors. that the numbers they receive are in the group, which is 

For completeness, a few facts well known in the art also readily accompUshed as already described, 
will now be reviewed that might be employed to ad van- IS Another exemplary embodiment uses a group with a 
tage in realizing the present invention efficiently in such known subgroup of small order (possibly with unknown 
groups. Primality tests of various types are quite weD subgroups of larger, and preferably only much larger, 
known in the art, which are capable of yielding primes order). For example, consider the group of residues 
of the required size. It is belie vd that, while proofs that modulo a prime q such that q— 1 is twice a prime, as 
there are Infinitely many primes q such that q— 1 is 20 already described. Instead of working with the group of 
twice a prime are not known, experimental results show squares or an isomorphic subgroup as already de- 
that such primes seem to occur with substantially the scribed, the entire group of residues could be used. The 
density that might be expected for the sizes mentioned inequalities tested by V in the protocols of FIO. 2 and 
above. Thus a prime with this property may be created FIG. 3 (i.e. the last lines of boxes 203 and 305), are 
simply by trying random numbers of the desired size, 25 considered satisfied exactly when either they arc satis- 
discarding those that &il to pass a primality test, and fied as written or when they would be satisfied were 
then further requiring that half one less than a successful one comparand to (i.e. thing to be compared) be multi- 
candidate also passes a primality test. plied by — 1. The certainty given by the tests of FIO. 2 

A second preferred exemplary embodiment is based or FIG. 3 is believed to be essentiaUy the same as that 
on the multiplicative group of residue classes modulo q, 30 achieved with the group of squares of the same modu- 
with q— l=2p and p a prime, whose least positive rep- . lus. (For the binding shown in FIG. 4 under this ar- 
resentadves are less than or equal to p. The group oper- rangement, each output is multiplied by — 1 or left un? 
ation is ordinary multiplication modulo p. except that changed by V, the choice depending on an unbiased 
the result is normalized by taking either the product independent coin flip secret to V.) 
itself or its additive inverse, whichever has the smaller 3S Yet another preferred exemplary embodiment works 
least positive representative. Thus, all integers between with a group which has arbitrary structure. Unlike the 
1 and p inclusive may be regarded as representing the groups of public and prime order already described, 
members of the group, such membership being easy to these groups may have an arbitrary group structure, and 
check and such members being easy to map to from may even include many subgroups of small order. The 
some original message space. 40 group structure need not be known to any participant, 

A third preferred exemplary embodiment uses the and all or part of it might even secreUy or openly be 
group of squares modulo a prime q also such that known to some participants. Multiparty security is still 
(q— l)/2=p is prime. It is well known in the art that achievable in such a setting. But since there may be 
only elements in the group of squares modulo a prime subgroups of order 2. the protocols of FIG. 3 in particu- 
have Jacobi symbol 1 modulo that prime. Efficient algo- 45 lar might have to be repeated j times to yield certainty 
rithms for determining the Jacobi symbol of such values of 1 — since it is believed that each iteration would 
are also well known in the art. Since half the residues yield at least certainty of one-half. Naturally the 2 in the 
niodulo such a prime are squares modulo that prime, i.e. previous remark could be replaced by any known lower 
have Jacobi symbol 1, it is a simple matter to find ele- bound on the order of nontrivial subgroups, 
ments in the group of squares and to test elements for 50 • 
membership in that group. Another exemplary way to 
create an element that is known to be a square modulo 
q is simply to form the element as the square of any While it is believed that the notation of FIGS. 1-5 
element modulo q. It is also well known that an element would be clear to those of ordinary skill in the art, it is 
can be shown to be a square simply by showing its S5 here reviewed for definiteness. 
square root Since every element apart from 1 in the The operations performed are collected together into 
group of squares, or any group of prime order, gener- flowchart boxes. The column that such a box is in indi- 
ates the group of squares, the generator g can readily be cates which party performs the operation defined in 
taken to be the square of some public number, which that box. The columns are labeled by party name across 
allows everyone to verify that g is in the group of 60 the top. Some operations show how messages are 
squares just by checking that it results from squaring its formed on the right of the equal sign with the message 
public square root and that it is not 1. number (shown in square brackets) on the left of the 

The prime q and the generator g for this third exem- equal siga The operation of a party saving a value 
plary embodiment can be readily created as described under a symbolic name is denoted in the same way as 
above in a way which allows anyone receiving them to 65 that of forming a message, except that the symbolic 
verify that they have the proper form. Some applica- name appears on the left instead of a message number, 
tions may require an efficient way to map from say Another kind of operation is test for equality and in- 
small integers to elements m suitable for signing. One equality; these are indicated by the symbob and 
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**7^V\ respectively. The party performing one of these 
tests withm a protocol terminates the protocol when the 
condition is not satisfied; the protocol is stopped when 
the two comparands of an ?=7 differ or when the com- 
parands of a 1^1 are the same. Where the test is at the 
end of a protocol, the result of the protocol may be 
thought of as positive when the test would not have 
caused the protocol to terminate, and negative other- 
wise. The final kind of operation is that of sending a 
message. This is shown by a message nimiber on the left; 
followed by the recipient party's name and an arrow 
(these appear for readability as either a recipient name 
then left pointing arrow, when the recipient is on the 
left; or right pointing arrow then recipient name, when 
the recipient is on the right); foUowed by a colon; fi- 
nally followed by an expression fully denoting the ac- 
tual value of the message that should be sent Note that 
the values of some variables in such message expres- 
sions may not be known by the sender and others may 
be unknown to their recipient 

Several ways to form expressions are used. One is just 
the word ''random". This is used to mean that a value is 
preferably chosen substantially uniformly from an ap- 
propriate set defined in the text, and substantially inde- 
pendently of everything else in the protocoL Thus a 25 
party should preferably employ a physical random 
number generator for these purposes, but a variety of 
other techniques may be applied, as already described 
for boxes 604, 607, 610, 613, and 615. In practice, how- 
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ever, well known pseudo-random generator or hybrid 30 cure of [11]. 



Flowchart box 101 shows S choosing x uniformly and 
at random from the interval 1 to p — 1, such random 
selection as already mentioned. Then S raises g to the 
x'th powder mothilo p, such exponentiation already 
having been described and well known in the art. The 
resulting residue is then called message [10]. As per the 
definition of the notation already described, message 
[10] is then shown as being sent from S to V. This com- 
pletes the creating and issuing of a public key by S. 

Box 102 indicates that, after receiving the public key 
as message [10], V sends an original message m for 
signing to S as message [11]. For the purposes of the 
present invention the nature or source of m is not essen- 
tial and it may be regarded as any suitable message (or 
blinded message, as has already been mentioned and 
will be mentioned in detail later). 

Box 103 shows how. after receiving message [11], S 
first forms a signature from it by raising it to the secret 
power X. The exponentiation is done in this particular 
exemplary embodiment as already mentioned, in the 
group of order, p. Finally, the signature denoted as mes- 
sage [12] is shown being sent by S to V, who would 
ordinarily receive it and retain it for possible later use in 
one of the other protocol parts. 

It may be pointed out here that if an ordinary digital 
signature is formed by S on the pair comprising message 
[11] and message [12], sig(f{[ll], [12])), and this is later 
shown to a third party who trusts S, then the third party 
is able to determine that [12] is a valid imdeniable signa- 



techniques may be applied. Since the results of these 
random expression are used as keys which should not be 
determinable by the other party to the protocol (at least 
until the creating party may choose to release them), the 
random generation must be substantially unpredictable 
to an adversary. The function f is preferably a publicly- 
agreed one-way function, such functions being well 
know in the art. 
When no operation is shown explicitly, the group 



Turning now to FIG. 2, the second flowchart for part 
of a preferred embodiment will now be described in 
detail. This part shows a first exemplary arrangement 
for the checking of an undeniable signature, <the issuing 
35 of which has just been shown in detail in FIG. 1. 

Box 201 shows how V prepares the initial challenge 
and sends it to S. First a and b are chosen substantially 
independently and uniformly at random from 1 to p (or 
in somme other suitable way when the order of the 



operation referred to here as multiplication is assumed. 40 group is not known to V, as has already beoi men 



Another kind of expression involves exponents which 
denote raising to powers in the group. The well known 
convention is adopted here that operations in the base 
are group operations and that arithmetic in the exponent 
is modulo the order of the group. But parties need not 45 
actually know the order of the group, in all but one 
optional case mentioned later, since parties can simply 
use natural number arithmetic in the exponent Also, 
when a random value, as mentioned above, is to be 



tioned). Then message [21] is formed as the product (in 
the group, as already mentioned) of message [12] raised 
to the power a and message [10] raised to the power b. 
This message is then sent by V to S, and should have the 
form shown in the last line of this box. (But since V does 
not know x, this is an example of the comment made 
earlier that neither party acting alone need be able to 
determine the value of all variables of such expressions.) 
Box 202 is the formation and return of S*s response to 



created for use in the exponent its distribution can be 50 the challenge received from V. The multiplicative in- 



made very close to uniform, even when the order of the 
group is not known: the exponent is chosen say uni- 
formly from 1 to say the square of an upper bound on 
the order of the group. 

For clarity in exposition and concreteness, however, 
the preferred embodiments will be presented here in 
terms of the multiplicative group of order prime p. As 
has already been mentioned, the scope of the present 
invention should not be considered to be limited to any 
particular group, and the present detailed description 
could readily be translated by someone of ordinary skill 
in the art to any suitable group. 

Turning now to FIG. 1, the first flowchart for part of 
the preferred embodiment will now be described in 



55 



60 



verse of x modulo the order of the group is shown in the 
usual way in the exponent of message [21], to produce 
message [22]. Thus, message [22] is shown as being 
obtained by applying the inverse of the signing function 
to the message [21]. (A protocol not requiring that the 
order be known is shown in FIG. 3, to be described in 
detail.) The resulting message [22] should be of the form 
shown, m^g^, and is shown as being supplied to V. 

Box 203 shows the checking of the response [22] 
received from S by V. First V uses the values of m, g, 
a. and b known to V to construct the value that should 
have been returned by S in case the signature was valid. 
This is done by raising m to the power a and multiplying 
the result by g raised to the power b. Then V simply 



detail. This part shows public key creating and issuing, 65 compares the value constructed with that received from 
which need only be carried out once by the signer party S in message [22]. If they are equal, then V stops the 
S, and also the forming of a single undeniable signattire protocol, as called for by the definition of the symbol 
for party V. *>^7 given above. In this case, V knows that [12] is with 
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high certainty the signature of m corresponding to pub- 
lic key [10]. In the remaining case, that the inequality 
holds, V continues the protocol with the knowledge 
that either (a) [12] is not the proper signature or (b) S is 
trying to improp^y deny the agnature. The rest of this 5 
flowchart allows V to distinguish between these two 
subcases. 

Box 204 is similar to 201 except that c and d are used 
instead of a and b. First c and d are created by the 
random expression already described so that they are 10 
suitable secret exponents. Then message [24] is formed 
as the product of message [12] raised to the c power 
times message [10] raised to the d power. Finally, mes- 
sage [24] is sent by V to S, 

Box 205 is again similar to its predecessor, box 202, 15 
and in fact the operations performed by S are the same. 
The only difference is that the input is message [24] 
instead of [21] and the output is [25] mstead of [22]. One 
consequence of this is that S need not know which of 
these two steps in the protocol is being performed. 20 

Box 206 shows the final test made by V based on the 
messages [22] and [25] received from S. The test shown 
is made by comparing the equality of two essentially 
similarly constructed quantities. The first is the product 
of message [22] and g raised to the — b power, all raised 25 
to the c power; the second is message [25] times g to the 
— d power all to the a power. Notice that the negative 
exponents on g need not mean that V must compute 
multiplicative inverses, since the multiplicative inverse 
of g could have been made public by some other party. 30 
As should be obvious to those of skill in the art, how- 
ever, the comparison can be made in practice without 
needing multiplicative inverses. There are two cases: if 
boda. test [22]'7=:?[25]»g*^-''^ or if bc^da. test 
[22]*^gdo-Ac7=7[25]a. Regardless of how the test is 35 
made, if the equality holds, then S is with high probabil- 
ity behaving honestly and [12] is not a valid signature if 
the equality does not hold, then S is believed to be 
behaving improperly. 

Again the possibility of an ordinary digital signature 40 
on the transaction by S is considered. It might in this 
case contain message [21] and message [22] and cold be 
denoted: sig(f((21], [22])). The third party would be 
supphed this digital signature, m, [12], a, and b by V, 
and would check the validity of the undeniable signa- 45 
ture by checking that the digital signature is valid, 
[21]7=?[12]^(10]* and [22]7=7m«g* Such testing may 
be considered to be shown in FIG. 2, since essentially 
the same operations are performed by V. 

Turning now to FIG. 3, the third flowchart for part 50 
of a preferred embodiment will now be described in 
detail This part shows a second alternate arrangement 
for the checking of an undeniable signature, the issuing 
of which has abready been shown in detail in FIG. 1. 

Box 301 is similar to box 201 in that a first challenge 55 
is created based on two randomly generated exponents, 
called again here a and b. Thus, V chooses these two 
exponents substantially independendy and uniformly, 
and keeps them secret What V sends to S in message 
[31] is the product of m raised to the a and g raised to 60 
the b. Notice that since all of these values are known to 
V. the expHcit construction of the message is omitted 
from the flowchart and its value is shown in the line for 
the sending of the message only. 

Box 302 entails S raising the received message [31] to 65 
the X power and then applying the one-way function f to 
the result This image under the one-way function is 
what is returned to V by S in message [32].. 



430 

14 

Box 303 merely indicates that after receiving message 
[32] from S, V forwards m, a» and b individually to S in 
messages [33.1], [33.2], and [33^], respectively. 

Box 304 first shows how S tests that all the messages 
received firom V during this part of the protocol — [31], 
[33.1], [33J2], and [33J] — are mutually consistent This 
is accompli^ed by testing the equality of [31] with the 
result of reconstructing its value from the others. The 
reconstruction is accomplished by forming the product 
of [33.1] raised to the [33.2] with g raised to the [33.3]. 
If the equality is not satisfied, S stops the protocol, as 
per the definition of the notation, and knows that V has 
been supplying hnproper messages. If the equality is 
satisfied, S returns to V message [31] raised to the secret 
power X in the form of message [34]. 

Box 305 shows two tests by V, The first checks that 
[34] really is the inverse image of [32] under f. If this test 
£ails, then V stops the protocol knowing that S was 
supplying improper messages. Otherwise V makes a test 
similar in intention and form to that of box 203. Message 
[34] is tested for inequality with the product of message 
[12] raised to the power a and message [10] raised to the 
power b. If they are equal, then V stops the protocol 
and knows that with high probability [12] is indeed the 
signature of m corresponding to public key [10]. In case 
the inequality does hold, V continues the protocol but 
with the knowledge that either (a) [12] is not the proper 
signature or (b) S has tried to improperly deny the sig- 
nature. And as with FIG. 2, the remaining part of this 
flowchart allows V to distinguish between these two 
subcases. 

Box 306 is similar to box 204 in that a second chal- 
lenge is created based on two randomly generated expo- 
nents, called again here c and d, but they are combined 
into the challenge in the style of 301, That is [3€] is 
formed as the product of m raised to the c times g raised 
to the d, and it is supplied by V to S. 

Box 307 shows S raising the received message [36] to 
the X power and then applying the one-way function f to 
the result This image under the one-way function is 
what is returned to V by S in message [37], 

Box 308 denotes that after receiving message [37] 
from S, V sends a and b individually to S in message 
[38.1] and [38.2], respectively. 

Box 309 first shows how S tests the mutual consis- 
tency of messages (3<q, [33.1], [38.1], and [38.2] received 
from V. This is accomplished by testing the equahty of 
[36] and the product of [33.1] raised to the [38.1] times 
g raised to the [38.2]. If the equality is not satisfied, S 
stops the protocol knowing that V has been supplying 
improper messages. If the equality is satisfied, S supplies 
V with message [36] raised to the power x called mes- 
sage [39]. 

Box 310 shows two tests by V. The first checks that 
[39] is the inverse image of [37] under f. If this is not so, 
then V stops the protocol known that S was supplying 
improper messages. The second tests messages [34] and 
[39] received froni S. The test shown compares the 
equality of two values. The first value is the product of 
message [34] and g raised to the —b power, all raised to 
the c power, the second is message [39] times g to the 
— d power all to the a power. Again, as should be obvi- 
ous to those of skill in the art, the comparison can be 
made in practice without computing multiplicative in- 
verses. There are two cases: if bc>da, test 
[34Jc?=?[39]«g*^-''«or if bc^da, test [34]*^g<'fl-A^=?[3- 
9]''. No matter how the test is made, if the equality 
holds, then S is with high probability behaving honestiy 
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and [12] is not a valid signature; if the equality does not 
hold* then S is believed certainly to be performing im- 
properly, 

A digital signature issued for this protocol by S need 
include only messages [31] and [34], and would thus be 
of the form: sig(f([31], [34])). The third party would 
additionally be supplied m, [12], a, and b by V, and 
would check the validity of the undeniable signature by 
checking that the digital signature b valid, 
[31]?=?m«g* and [34]?=?[12]«(10]* Such testing again 
may be considered to be shown in FIG. 3, since it entails 
essentially the same operations already shown as per- 
formed by V. 

Turning now to FIG. 4, the fourth flowchart for part 
of the preferred embodiment will now be described in 
detail. This part shows one kind of blinding, called 
"exponential blinding/* of a message by party V, raising 
the result to a secret power by S, and unblinding of the 
returned message by V. As will be obvious to those of 
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could be regarded as the unsigned and signed form, 
re^ectively, of a single blinded message, such as might 
be used as input to challenger 612, for either FIG. 2 or 
FIG. 3. 

As would be obvious to those of ordinary skill in the 
art, the blinding of various messages can be superim- 
posed, to give for example double blinding as disclosed 
in the application entitled ''blind signature systems," by 
the present applicant, already mentioned in the descrip- 
tion of the prior art So called "re-blinding" was dis- 
closed for the unanticipated bhnd signature system al- 
ready referenced in the description of the prior art For 
the present invention, a kind of re-blinding is also possi- 
ble. The result of re-blinding is a pair comprising a 
blinded message and a blinded signature of that mes- 
sage. These could then be used in the protocol of FIG. 
2 as just described. Some other protocol, such as that 
disclosed by Chaum and Evertise in "A secure and 
privacy-protecting protocol for transmitting personal 



ordinary skill in the art, and will be described later in 20 information between organizations'*, Proceedings of 



detail, these operations are generic: blinding could be 
performed by V on any message before it is raised to a 
secret power by S, and the result returned by S could be 
unblinded. In particular, it could be apphed to all three 
blindings and unblindmgs shown in FIG. 6, i.e. 606 and 25 
608; 609 alone; or 614 and 616. 

Box 401 shows how V blinds message u and sends it 
to S. First V chooses r independently and uniformly 
from 1 to p— 1. Then V raises u to the power r to form 
message [41], which V sends to S. 30 

Box 402 shows receipt of message [41] by S and its 
transformation and subsequent return to V. To make the 
transformation, S raises message [41] to the secret 
power y; the result is supplied to V as message [42]. 

Box 403 shows the unblmding of the blinded message 35 
received by V. The multiplicative inverse of r modulo 
the order of the group is applied as an exponent to the 
message [42] received from S, and the result is shown as 
message [43]. For clarity, the last line of box 403 shows 



Crypto 86, A. Odlyzko Ed., Springer 1987. might be 
used to show that these re-blinded messages are related 
to some other messages in a desired way, and the proto- 
col of FIG. 2 for mstance used to show that one mem- 
ber of the pair is in fact a signature on the other mem- 
ber. 

Ordinary digital signatures could be used here again 
to aUow a third party to check a transaction that is 
blinded in the way shown in FIG. 5. In addition to the 
other data already described in detail for FIGS. 1-3, the 
exponent r must also be provided to the third party to 
allow checking. Then the third party performs the 
checks as already described, except that the expression 
corresponding to the input to S must be raised to the r 
power and the multiplicadve inverse of r modulo p must 
be applied to the expression for the output of S, as 
would be obvious to those of skill in the art 

Turning now to FIG. 5, the fifth flowchart for part of 
the preferred embodiment will now be described in 



parenthetically that the value of message [43] should be 40 detail. This part shows another kind of blinding, related 



u raised to the y power. 

Box 404 shows the optional creation of another secret 
blinding key t, and its use in reblinding the message u. 
Hrst t is created at random as r was. Then message [44] 
is formed as u raised to the power t Message [45] is 45 
shown as being created by raising message [43] to the t 
power. For clarity, the last line of box 404 again shows 
parenthetically that the value of message [45] should be 
u raised to the power yt. 

Some specific examples will now be presented so that 50 
some exemplary embodiments of the generic exponen- 
tial blinding and unblinding operations just described in 
detail may be more fully appreciated. In FIG. 1, mes- 
sage [11] could be blinded by V before being sent to S 
for signing O'C. y= 1/x), and the resulting message [12] 55 
could be unblinded by V before it is used in FIG. 2, as 
is shown by bhnder 606 and unblinder 608 already de- 
scribed. Message [31] could also be blinded before being 
sent to S in the testing of FIG. 3 (y=x), and the re- 



to the "blinding for unanticipated signatures" already 
referenced in the backgroimd of the invention, in which 
a message is blinded by V, the result is raised by S to a 
secret power y, and the returned message is unblinded 
by V. 

Box 501 shows how V blinds message m and sends it 
to S. First V chooses r independently and uniformly 
from 1 to p— 1. Then V raises g to the power r and 
multiplies the result with m to form message [51], which 
V sends to S. 

Box 502 shows receq)t of message [51] by S and its 
signing and subsequent return to V. To make the signa- 
ture, S raises message [51] to the secret power y; the 
result is supplied to V as message [52]. 

Box 503 shows the unblinding of the signed blinded 
message received by V. The multiplicative inverse of 
message [10] raised to the r is first formed. Then this is 
multiplied with message [52] received from S, and the 
result is shown as message [53]. Again for clarity, the 



turned message [34] could be unblinded before being 60 last line of box 503 shows parenthetically that message 



tested, as shown by blinder 614 and unblinder 616; the 
blinding of message [36] and the testing of the returned 
message [39] would of course be essentially the same. 
When the same operations are applied for FIG. 2, it will 
be obvious to those of ordinary skill in the art that the 65 
exponent used in boxes 401 and 403 would be ex- 
changed (with y = l/x) if they are to serve as 606 and 
608, respectively. Notice that messages [44] and [45] 



[53] should have the vahie m raised to the y power. 

Box 504 shows the optional creation of another secret 
blinding key t and its use in re-blinding the message m. 
First t is created at random as r was. Then message [54] 
is formed as m times g to the power t Message [55] is 
shown as being created by raising message [10] to the t 
power and multiplying the result by message [53]. For 
clarity, the last Hne of box 504 again shows parentheti- 
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cally that the value of message [55] should be m raised 
to the power t times g raised to the power yt It should 
be pointed out that the forming of message [55] has been 
shown for clarity only in the case when x=y, but, as 
would be obvious to those of skin in the art, in the case 
when y=l/x message [55] would not be formed from 
message [10], but would rather be formed from the 
analog of message [10] that contains the value g^^'. 
Notice that messages [54] and [55] could again be re- 
garded as the unsigned and signed form, respectively, of 
a single blinded message. 

As an example use of such unanticipated signature 
techniques adapted to this setting, the signing operation 
of FIG. 1 might be performed so as to yield V an unde- 
niable signature unlinkable by S. That is, if a plurality of 15 
such signatures are obtained with independent r's, then 
S should be unable to determine anything about which 
signature corresponds with which instance of the sign- 
ing process. The pair comprising a blinded message and 
a blinded signature of that message used in re-blinding 20 
has already been shown in box 504, and the comments 
already made for box 404 could apply to this box as 
well. 

Some specific examples will now be presented so that 
some exemplary embodiments of the generic unantici- 
pated signature blinding and unblinding operations just 
described in detail may be more fully appreciated. In 
FIG. 1, message [11] could be blinded by V before 
being sent to S for signing (he. y=x), and the resulting 
message [12] could be unblinded by V before it is used 
in FIG. 2, as is shown by blinder 606 and unblinder 608 
already described. Message [31] could also be blinded 
before being sent to S in the testing of FIG. 3 (y=x), 
and the returned message [34] could be unbhnded be- 
fore being tested, as shown by blinder 614 and unblinder 35 
616; the blinding of message [36] and the testing of the 
returned message [39] would of course be essentially the 
same. When the same operations are applied for FIG. 2, 
it will be obvious to those of skill in the art that the 
exponent used in boxes 501 and 503 would be ex- 40 
changed (with y=l/x) if they are to serve as 606 and 
608, respectively. Notice that messages [54] and [55] 
could be regarded as the unsigned and signed form, 
respectively, of a single blinded message, such as might 
be used as input to challenger 612, for either FIG. 2 or 45 
FIG. 3. 

Ordinary digital sigantures could again be used to 
allow a third party to check a transaction that is blinded 
in the way shown in FIG. 5. In addition to the other 
data already described in detail for FIGS. 1-3, the expo- 50 
nent r must also be provided to the third party to allow 
checking. Then the third party performs the checks as 
already described, except that the blinding factor g'' 
must be included in the expression corresponding to the 
input to S and [10] -''must be included in the expression 55 
for the output of S. 

As again would be obvious to those of ordinary skill 
in the art, the blinding of various messages can be super- 
imposed to give double blinding as already mentioned 
and re-blinding is also possible as already described 
during the detailed description for FIG. 4. 

Another variation that would be obvious to those of 
ordinary skill in the art would involve plural original 
message parts in a signature. The signature would con- 
sist of the product of each such message part raised to a 
different power. The challenge would contain a separ 
rate message corresponding to each part of a signature. 
The response would be the product of ail such messages 
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of a challenge, each having the exponent corresponding 
to the corresponding message part. . 

A further and not necessarily mutually excliisive use 
anticipated would be t include more than two terms in 
a challenge message. With such an arrangement the 
mutual consistency of more than two message/signa- 
ture pairs could be tested while keeping some of the 
message and processing costs the same. Different ran- 
dom exponents could be used on each term, but if there 
were sufficiently many terms, it is anticq)ated that vari- 
ous possibly randomly chosen combinations of possibly 
smaller exponents might be used. 

While these descriptions of the present invention 
have been given as examples, it will be appreciated by 
those of ordinary skill in the art that various modifica- 
tions, alternate configurations and equivalents may be 
employed without departing from the spirit and scope 
of the present invention. 

What is claimed is: * 

1. A cryptographic method for forming and checking 
undeniable signatures where the signatures are caUed 
'"undeniable** because they can be verified in a protocol 
between a signing party and a checking party and the 
signing party is unable to conduct the protocol improp- 
erly so as to "deny" the validity of a valid undeniable . 
signature previously issued by the signing party whhout 
such improper denial giving at least a probability with 
at least a known lower bound that the checking party 
will learn that the signing party has conducted the pro- 
tocol improperly, the method comprising the steps of: 

forming an undeniable signature from an unsigned 
message by said signing party using a private key 
corresponding to a public key, and the resulting 
undeniable signature being issued to at least one 
party other than the signing party; 

forming at least one challenge by a checking party 
using a challenge key known to said checking 
party, the challenge key being unknown to said 
signing party at least until a response by said sign- 
ing party is committed to by the signing party, and 
the challenge at least partially depending on at least 
one member of a pair having a purported undeni- 
able signature and said imsigned message* and sup- 
plying the at least one challenge to said signing 
party; 

transforming at least one said challenge received by 
said signing party using knowledge of said private 
key and returning to said checking party the result 
of the transformation as said response; and 
checking at least one said response received by said 
checking party using values at least depending on 
said challenge key, to give at least a probability 
having a known lower bound that the signing party 
is imable to prevent the checking party from distin- 
guishing between three cases: 
(a) that said purported undeniable signature is a 
valid undeniable signature corresponding both to 
said public key and to said unsigned message, (b) 
that the purported undeniable signature is not a 
valid undeniable signature corresponding both to 
the public key and to the uizsigned message, and 
(c) that the response by the signing party is an 
improper response. 

2. The method according to claim 1, wherein said 
signing party is unable with said probability having a 
known lower bound to prevent the checking party from 
distinguishing between said three cases because of the 
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inabOity of the signing party to perfonn certain compu- 
tations in a predetermined available time period. 

3. The method according to claim 1, wherein said 
signing party is miable with said probability having a 
known lower bound to prevent said checking party 
from distinguishing between said three cases regardless 
of the computational resources-available to the signing 
party. 

4. The method according to claim 1, wherein said 
signing party develops said public key and correspond- 
ing private key from a substantially randomly chosen 
seed and the signing party issues the public key making 
it receivable to said chocking party. 

5. The method according to claim 1, wherein said 
signing party receives substantiaDy said unsigned mes- 
sage from a providing party and the signing party re- 
turns said undeniable signature to the providing party. 

6. The method according to claim 5, wherein said 
providing party supplies said undeniable signature to 20 
said checking party and the checking party is distinct 
from the providing party. 

7. The method according to claim 3, wherein said 
signing step comprises raising said unsigned message to 

a signing power derived from said private key, such 25 
exponentiation bemg performed in a finite structure 
where the inverse of such ezponents is unknown. 

8. The method according to claim 1 further including 
the step of: 

creating a public key and a correspondmg private 
key, and distributing them so that the private key is 
known to said signing party and the public key but 
not the private key is known to a checking party. 

9. The method as in claim 1, further comprising the 
steps of: 

blinding said unsigned message responsive to a blind- 
ing key before providing the resulting blinded un- 
signed message to said signing party in place of said 
unsigned message; and 

unblinding said undeniably signed message returned ^ 
by said signing party responsive to said blinding 
key. 

10. The method as in claim 1, further comprising the 
steps of: 

blinding, responsive to a blinding key, said undeni- 
ably signed message and also said corresponding 
unsigned message; and 

using said blinded undeniably signed and said blinded 
unsigned messages in place of said undeniably 
signed and said unsigned message, respectively, by 
said checking party in 

11. The method as in claim 1, further comprising the 
steps of; 

blinding, responsive to a blinding key. at least part of 
one of said challenge and said response; and 

unblinding, responsive to said blinding key, at least 
part of the other one of said challenge and said 
response. 

12. The method according to claim 9, 10 or 11 50 
wherein: 

said signing step includes raising said unsigned mes- 
sage to a secret signing power derived from said 
private key, such exponentiation being performed 
in a finite structure where it is defined; 

said blinding step include the operation of raising the 
message to be blinded to a power derived from said 
blinding key; and 
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said unblinding step includes raising the message to 
be unblinded to a power that acts as an inverse 
operation to that of said blinding operation. 

13. The method according to claims 9, 10 or 11 
wherein: 

said signing step includes raiang said unsigned mes- 
sage to a secret signing power derived from said 
private key, such exponentiation being performed 
in a finite structure where it is defined; 

said bUnding step includes forming a product of at 
least a first message which is raised to a blinding 
power derived from said blinding key times at least 
a second message to be blinded; and 

said unblinding step includes forming a product of the 
multiplicative inverse of the undeniably signed 
form of said first message raised to the blinding 
power times said second message. 

14. Cryptographic apparatus for forming and check* 
ing undeniable signatures where the signatures are 
called ^'undeniable'* because they can be verified in a 
protocol between a signing party and a checking party 
and the signing party is unable to conduct the protocol 
improperly so as to "deny** the validity of a valid unde- 
niable signature previously issued by the signmg party 
without such improper denial giving at least a probabil- 
ity with at least a known lower bound that the checking 
party will learn that the signing party has conducted the 
protocol improperly, said apparatus comprising: 

means for forming an undeniable signature from an 
unsigned message by said signing party using a 
private key corresponding to a public key, and the 
resulting undeniable signature being issued to at 
least on party other than the signing party; 

means for forming at least one challenge by a check- 
ing party using a challenge key known to said 
checking party, the challenge key being unknown 
to said signing party at least until a response by said 
signing party is committed to by the signing party,, 
and the challenge at least partially depending on at 
least one member of a pair having a purported 
undeniable signature and said unsigned message, 
and supplying the at least one challenge to said 
signing party; 

means for transforming at least one said challenge 
received by said signing party using knowledge of 
said private key and returning to said checking 
party the result of the transformation as said re* 
sponse; and 

means for checking at least one said response re- 
ceived by said checking party using values at least 
depending on said challenge key, to give at least a 
probability having a known lower bound, that the 
signing party is unable to prevent the checking 
party from distinguishing between three cases: 
(a) that said purported undeniable signature is a 
valid undeniable signature corresponding both to 
said public key and to said unsigned message, (b) 
that the purported undeniable signature is not a 
vaUd undeniable signature corresponding both to 
the public key and to the unsigned message, and 
(c) that the response by the signing party is an 
improper resjwnse. 

15. Apparatus according to claim 14, wherein said 
lower bound on said probability is known to be at least 
one half. 

16. Apparatus according to claim 14, wherein said 
lower bound on said probability is known to be at least 
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one minus a value that is super linear in the size of the 
challenge message. 

17. Apparatus according to claim 14, wherein said 
known lower bound on said probability is at least one 
minus the number of substantially distinct possible chal- S 
lenges. 

18. Apparatus according to claim 14, wherein said 
means for forming include means for raising said un- 
agned message to a secret signing power daived from 
said private key, such exponentiation being performed 10 
in a fmite structure where it is defined. 

19. Apparatus according to claim 18, wherein: 

at least part of said challenge is formed responsive to 
at least two undeniable signatures by raising the 
signatures to powers derived Irom said challoige 15 
key; 

at least part of said response is formed by raising at 
least part of said challenge to a power that acts 
substantially as the inverse of said secret signing 
power; and 20 

said checking is performed at least in part by raising 
the at least two unsigned messages corresponding 
to said at least two undeniable signatures to powers 
derived from said challenge key. 

20. Apparatus according to claim 19, wherein at least 25 
one of said two unsigned messages is a fixed constant 
and at least one of said two undeniable signatures is at 
least a part of said public key. 

21. Apparatus according to claim 14^ wherein the 
means for forming, means for transforming, and means 3D 
for checking perform computations over a group of 
prime order. 

22. Apparatus according to claim 14, wherein said 
means for forming includes means for raising said un- 
signed message to a signing power derived from said 35 
private key, such exponentiation being performed in a 
finite structure where the inverse of such exponents is 
unknown. 

23. Apparatus according to claims 14 or 22, wherein: 

at least part of said challenge is formed responsive to 40 
at least two unsigned messages by raising the two 
unsigned messages to powers derived from said 
challenge key; 
' at least part of said response is formed by raising at 
least part of said challenge to a signing power; and 45 

said checking is performed at least in pan by raising 
at least part of said response to powers derived 
from said challenge key. 

24. Apparatus according to claim 23, wherein at least 
one of said two imsigned messages is a public constant SO 
and at least one of said two undeniable signature is at 
least a part of said public key. 

25. Apparatus according to claim 14, further includ- 
ing: 

means for blinding said unsigned message responsive 33 
to a blinding key before providing the resulting 
blinded unsigned message to said signing party in 
place of said unsigned message; and 

means for imblinding said undeniably signed message 
returned by said signing party responsive to said 60 
blinding key. 

26. Apparatus according to claim 14, further includ- 
ing: 

means for blinding, responsive to a blinding key, said 
undeniably signed message and also said corre- 65 
spending unsigned message; and 

means for using said blinded undeniably signed and 
said blinded unsigned messages in place of said 
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undeniably signed and said unsigned message, re- 
spectively, by said checking party in forming said 
challenge and in checking said response* 

27. Apparatus according to claim 14, further includ- 
ing: 

means for blinding, responsive to a blinding key, at 
least part of one of said challenge and said re- 
sponse; and 

means for unblindlng, responsive to said blinding key, 
at least part of the other one of said challenge and 
said response. 

28. Apparatus according to claim 25 wherein: 

said means for forming includes means for raising said 
unsigned message to a secret signing power de- 
rived &om said private key, such exponentiadon 
bemg performed in a finite structure where it is 
defined; 

said blinding means includes means for raising the 
message to be blinded to a power derived from said 
blinding key; and 

said unblinding means, includes means for raising the 
message to be unblinded to a power that acts as an 
inverse operation to that of said blinding operation. 

29. Apparatus according to claim 25 wherein: 

said means for forming includes means for raising said 
unsigned message to a secret signing power de- 
rived from said private key, such exponentiation 
being performed in a finite structure where it is 
defmed; 

said blinding means includes means for forming a 
product of at least a first message which is raised to 
a blinding power derived from said blinding key 
times at least a second message to be blinded; and 

said unblinding means includes means for forming a 
product of the multiplicative inverse of the undeni- 
ably signed form of said first message raised to the 
blinding power times said second message. 

30. Apparatus according to claim 14 further includ- 
ing: 

means for issuing a public key digital signature by 
said signing party responsive to at least one said 
challenge and one said response; and 

means for checking said public key digital signature. 

31. A cryptographic method for forming and check- 
ing undeniable signatures where the signatures are 
called "undeniable" because they can be verified in a 
protocol between a signing party and a checking party 
and the signing party is unable to conduct the protocol 
improperly so as to "deny" the validity of a valid unde- 
niable signature previously issued by the signing party 
without such improper denial giving at least a probabil- 
ity with at least a known lower bound that the checking 
party will detect that the signing party has conducted 
the protocol improperly, the method comprising the 
steps of: 

forming at least one challenge by a checking party 
using a challenge key known to said checking 
party, the challenge key at least partially unknown 
to said signing party at least until a response by said 
signing party is substantially committed to by the 
signing party, and the challenge at least partially 
depending on at least one member of the triple 
consisting of a public key, an undeniable signature 
and an unsigned message, and supplying the at least 
one challenge to said signing party; 

transforming at least one said challenge received by 
said signing party using knowledge of a private key 
corresponding to said public key and returning to 
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said checkiDg party the result of the transformation 
as at least one said response; and 
. checking said at least one response received by said 
checking party using predetermined values used by 
the checking party in forming said challenge, ^ 
whereby the checking party can distinguish with a 
probability having a lower bound known at least to 
the checking party b^ween at least two cases: (a) 
the signature is invalid, and (b) the response from 
the signer is improperly formed. 

32. A method according to claim 31 further including 
the step of: 

forming an undeniable signature from an imsigned 
message by said signing party using said private 
key corresponding to said public key. and the re- 
sulting undeniable agnature being issued to at least 
one party other than the signing party. 

33. The method according to claim 31, wherein said . 
signing party b unable with said probability having a 20 
known lower bound to prevent the checking party from 
distinguishing between said two cases because of the 
inability of the signing party to perform certain compu- 
tations in a predetermined available time period. 

34. The method accordmg to claim 31, wherein said 25 
signing party is unable with said probability having a 
known lower bound to prevent said checking party 
from distinguishing between said two cases regardless 
of the computational resources available to the signing 
party. 30 

35. The method according to claim 32, wherein said 
signing party develops said public key and correspond- 
ing private key from a substantially randomly chosen 
seed and the signing party issues the public key making 
it receivable to at least said checking party. 

36. The method according to claim 34, wherein said 
known lower bound on said probability is at least one 
minus the number of substantially distinct possible chal- 
lenges. 

37. The method according to claims 1, 2, 3, 4, 5, 6, 31, 
32, 33, 34, or 35, wherein said lower bound on said 
probability is known to be at least one half 

38. The method according to claim 37, wherein said 
lower bound on said probability is known to be at least 4^ 
one minus a value that is more than linear in the size of 
the challenge message. 

39. The method according to claims 1, 2, 3, 4, 5, 6, 36, 
31, 32, 33, 34, or 35, wherein said signing step comprises 
raising said unsigned message to a secret signing power 50 
derived from . said private key, such exponentiation 
being performed in a finite structure where it is defmed. 
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40. The method accordmg to claim 39, wherein said 
raising to said secret signing power is performed in a 
finite group. 

41. The method according to claim 40, wherein: 

at least part of said challenge is formed responsive to 
at least two undeniable signatures by raising the 
signatures to powers derived &x>m said challenge 
key; 

at least part of said response is formed by raising at 
least part of said challenge to a power that acts 
substantially as the inverse of said secret signing 
power, and 

said checking is performed at least in part by raising 
the at least two unsigned messages corresponding 
to said at least two undeniable signatures to powers 
derived from said challenge key. 

42. The method according to claim 41, wherein at 
least one of said two unsigned messages is a fued con- 
stant and at least one of said two undeniable signatures 
is at least a part of said public key. 

43. The method according to claims 1, 2, 3, 4, 5, 6, 36, 
31, 32, 33, 34, or 35, wherein the forming, transforming 
and checking steps comprise computations over a group 
of prime order. 

44. The method according to claim 31, wherein said 
response is committed to by said signing party issuing to 
said checking party the image of said challenge under a 
substantially one-way function. 

45. The method according to claim 44, wherein said 
substantially one-way fimction is substantially injective. 

46. The method according to claims 1, 2, 3, 4, 5, 6, 36, 
44^ 45, 7, 31, 32, 33, 34, or 35, wherein: 

at least part of said challenge is formed responsive to 
at least two unsigned messages by raising the two 
unsigned messages to powers derived from said 
challenge key; 

at least part of said response is formed by raising at 
least part of said challenge to a signing power; and 

said checking is performed at least in part by raising 
at least part of said response to powers derived 
from said challenge key. 

47. The method according to claim 46, wherein at 
least one of said two unsigned messages is a public con- 
stant and at least one of said two undeniable signatures 
is at least a part of said public key. 

48. The method according to claim 1 or 31 including 
the steps of: 

issuing a public key digital signature by said signing 

party responsive to at least one said challenge and 

one said response; and. 

checking said public key digital signature. 
« . * * « * 
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